Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Organized Crime Trawling for Students (8 December 2006)

According to a report from McAfee, organized crime rings are recruiting potential cyber criminals with tactics that bear similarities to those used by the KGB to recruit spies during the Cold War. Promising students are reportedly receiving offers to finance their educations in return for being plants in businesses targeted by the crime groups. The groups find the students in chat rooms and discussion sites. -http://technology.guardian.co.uk/news/story/0,,1967226,00.html-http://www.theregister.co.uk/2006/12/08/vxer_milkround/print.html-http://news.bbc.co.uk/2/hi/technology/6220416.stm[Editor's Note (Boeckman): Once again, Microsoft has put their customers in an untenable situation, since most organizations would not be able to function with out sharing Word documents. (Ullrich): I don't think this is an accident. Eastern European crime groups appear to be heavily seeded with former intelligence officers. ]

Unprotected Computer Leads to Police Raid (7 December 2006)

A Denver (CO) woman was surprised when four armed Boulder County sheriffs with a search warrant knocked on her door and demanded she turn over her computer. The woman's computer was apparently infected and being used to make fraudulent purchases with a stolen credit card. The woman said she had removed a firewall from her computer because it made the machine run too slowly. -http://www.thedenverchannel.com/news/10486347/detail.html[Editor's Note (Ullrich): This sentence form the article made me smile: "Investigators said someone hacked into Winkler's computer, stole her IP address ..." I hope the investigators applied more technical insight then reflected in this quote. (Skoudis):While I'm not thrilled about police spending their time busting the wrong person, I am happy to have this story as an example I can cite when explaining to my non-technical friends the importance of solid security principles (running a personal firewall, installing up-to-date anti-virus and anti-spyware tools, keeping systems patched, etc.). Going forward, when they say it's just too hard to do, I plan on saying, "Well, it's better than having armed police bust down your door!" (Grefer): If you are an end-user and your computer suddenly starts to run slow, do NOT turn off your firewall. Rather, run antivirus and antispyware scans. Starting points might be the offerings at -http://free.grisoft.com,-http://www.safer-networking.org, and -http://www.lavasoftusa.com/products/ad-aware_se_personal.php. They all offer their tools free of charge for personal home use and are reputable sources. ]

NASA Blocks Word Document Attachments (7 December 2006)

NASA has taken Microsoft's advice to heart (see story below) and implemented a policy that blocks incoming Microsoft Word documents as attachments to email. The policy applies the to agency's core computer network and will remain in effect until Microsoft issues a patch for the vulnerability. -http://www.msnbc.msn.com/id/16095705/[Editor's Note (Skoudis): This is a good idea, given that Microsoft has announced that patches for the Word problems will not be included in this month's batch of patches. Such solutions aren't perfect, but they can help to step the tide somewhat if your enterprise culture will let you filter Word documents. (Ullrich): Don't just hunt the vulnerability of the day. Organizations need to figure out how to deal with attachments in general, not just word documents. Most malicious attachments are executed by users without exploiting any vulnerabilities. (Frantzen): If you face a risk of targeted attacks, it's smart to always block Microsoft office attachments. Since it will be a long time before Microsoft fixes this problem, attackers may use their spare time during the holidays to abuse the vulnerability or spread code abusing it, and the holidays mean many defenders will be out of the office. As was shown last year with the WMF vulnerability, the holiday season is a terrible time to have 0-days floating about. ]************************* Sponsored Links: ***************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

A teenager sentenced by police to take a computer training course to address anti-social behavior admitted that he used his newly acquired knowledge to break into people's bank accounts and steal close to NZ$45,000 (US$31,000). The offenses he committed earlier include kidnapping, aggravated robbery and threatening behavior. -http://rawstory.com/news/2006/Teen_learned_how_to_hack_computers__12112006.html

[Editor's Note (Skoudis): Credit card theft remains a major issue. Just last Friday, I got an automated call from my bank, one of the biggest in the world, about a fraud warning. The voice mail was comically synthetic, with a tinny machine mispronouncing my name, urging me to call my bank at a phone number that didn't match the one on my credit card. Given the rise of VoIP phishing, I was instantly suspicious. I called the number printed on my card. As it turns out, the call was legit, and there was a real fraud warning on my card. I was disappointed in my bank for opening themselves to VoIP phishing this way. If you get a fraud warning call, do not dial back to the number in the voice mail. Instead, call only the number printed on the back of your card, or, if the card isn't available, call the number on your last statement. ]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

DHS Supervisor Arrested for Immigration Fraud (8 & 1 December 2006)

A US Department of Homeland Security (DHS) supervisor and US Citizenship and Immigration Services employee has been arrested for allegedly selling citizenship to hundreds of immigrants over the last 10 years. Robert T. Schofield allegedly took more than US$600,000 in bribes to commit naturalization fraud. Earlier in his career, Schofield was investigated for "conduct unbecoming" due to a relationship with a woman who was part of a criminal investigation. He was demoted, fled the US and made US$36,000 in unauthorized charges on a government-issued credit card. At some later date, he returned to the US and eventually obtained the position he held until several weeks ago. -http://www.familysecuritymatters.org/terrorism.php?id=474039-http://www.washingtonpost.com/wp-dyn/content/article/2006/11/30/AR2006113000603_pf.html[Editor's Note (Schultz): If the allegations against Schofield are true, this poignantly shows the importance of performing thorough background checks, not only when individuals are applying for employment, but also afterwards. People comprise the greatest risk in both the computing and non-computing arenas. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft's monthly security release for December will include five bulletins addressing flaws in Windows and one bulletin for Microsoft Visual Studio. The highest severity rating among these bulletins is Critical; some of the updates may require restarts. Microsoft will not be addressing the Word vulnerabilities in the December 12 update. -http://www.microsoft.com/technet/security/bulletin/advance.mspx-http://www.vnunet.com/vnunet/news/2170608/word-flaw-left-patch-tuesday[Editor's Note (Boeckman): Once again, Microsoft has put their customers in an untenable situation, since most organizations would not be able to function with out sharing Word documents. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

A contractor's error left the names and Social Security numbers (SSNs) of hundreds of Vermont health care providers exposed on the Internet. The information was inadvertently made available on a web site where the state of Vermont had posted a request for bids to become the state's health insurance administrator. Vermont Human Resources Commissioner Linda McIntire said the data were available on the site between May 12 and June 19, 2006, but an unnamed doctor said her SSN was still available as recently as last week. -http://www.wcax.com/global/story.asp?s=5790220&ClientType=Printable

BONUS SECTION

The Ten Most Important Security Trends of the Coming Year

Experts Predict the Future The Ten Most Important Security Trends of the Coming Year

Mobile Devices 1. Laptop encryption will be made mandatory at many government agencies and other organizations that store customer/patient data and will be preinstalled on new equipment. Senior executives, concerned about potential public ridicule, will demand that sensitive mobile data be protected

2. Theft of PDA smart phones will grow significantly. Both the value of the devices for resale and their content will draw large numbers of thieves.

Government Action 3. Congress and state governments will pass more legislation governing the protection of customer information. If Congress, as expected, reduces the state-imposed data breach notification requirements significantly, state attorneys general and state legislatures will find ways to enact harsh penalties for organizations that lose sensitive personal information.

Attack Targets

4. Targeted attacks will be more prevalent, in particular on government agencies. Targeted cyber attacks by nation states against US government systems over the past three years have been enormously successful, demonstrating the failure of federal cyber security activities. Other antagonistic nations and terrorist groups, aware of the vulnerabilities, will radically expand the number of attacks. Targeted attacks on commercial organizations will target military contractors and businesses with valuable customer information.

5. Cell phone worms will infect at least 100,000 phones, jumping from phone to phone over wireless data networks. Cell phones are becoming more powerful with full-featured operating systems and readily available software development environments. That makes them fertile territory for attackers fueled by cell-phone adware profitability.

6. Voice over IP (VoIP) systems will be the target of cyber attacks. VoIP technology was deployed hastily without fully understanding security.

Attack Techniques 7. Spyware will continue to be a huge and growing issue. The spyware developers can make money so many ways that development and distribution centers will be developed throughout the developed and developing world.

8. 0-day vulnerabilities will result in major outbreaks resulting in many thousands of PCs being infected worldwide. Security vulnerability researchers often exploit the holes they discover before they sell them to vendors or vulnerability buyers like TippingPoint.

9. The majority of bots will be bundled with rootkits. The rootkits will change the operating system to hide the attack's presence and make uninstalling the malware almost impossible without reinstalling a clean operating system.

Defensive Strategies 10. Network Access Control will become common and will grow in sophistication. As defending laptops becomes increasingly difficult, large organizations will try to protect their internal networks and users by testing computers that want to connect to the internal network. Tests will grow from today's simple configuration checks and virus signature validation to deeper analysis searching for traces of malicious code.

How these trends were determined Twenty of the most respected leaders in cyber security developed this list. First each proposed the three developments that they each felt were most important. Then they compiled the list of more than 40 trends and voted on which were most likely to happen and which would have the greatest impact if they did happen. That resulted in a prioritized list. To validate their prioritization, they asked the 960 delegates at SANSFire in Washington to each prioritize the 40 trends. More than 340 did so. The SANSFire delegates' input reinforced the experts' prioritization and helped target the Top Ten.

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visithttp://portal.sans.org/